SKIP and NAT in series on the same host (as a tunnel end-point for network
1) causes problems for my network as I cannot easily route the returning
H2->N1 packets to S2 for SKIP processing and the encapsulated S2->S1 packets
to the Internet to make their way back to S1. The S1 and N1 interface
address is the same leading to routing loops on network 2.
The flexible nature of ipfw rules allows the parallel use of both SKIP
and NAT on a single interface and a simple method for switching between
them. Hosts on network 1 can appear as local to network 2 using a SKIP
tunnel from network 1 to network 2 or can access the Internet, masquerading
as the N1 host. If network 1 is a discontinuous subnet of network 2 (seen
from the Internet as a part of network 2) its hosts can also access the
Internet through the tunnel and back out to the Internet through R2. Both
network 1 and 2 hosts could use RFC-1918 addresses with a similar NAT/SKIP
controller for the network 2 connecttion to the Internet.
Decoupling SKIP and NAT is accomplished with rules preceding the divert
instruction that tell ipfw what you want to do. I use:
allow skip from any to any in
allow skip from any to any out
allow udp from any to any skip_cdp
allow udp from any skip_cdp to any
divert natd ip from any to any via ed0
This allows looking at packet counts to see what's happening.
Interestingly, although everything works as it should, the skip out counter
does not increment so SKIP must inject oubound packets below the ipfw
counter routine.
/etc/protocols contains:
skip 57 SKIP
And /etc/services contains:
natd 8668/divert
skip_cdp 1640/udp
These rules allow skip processing of packets before the divert rule is
reached.
By default, NAT will be in operation for all hosts. Switching to SKIP is
only a matter of
introducing rules for hosts and networks PRIOR to the NAT divert rule. As
an example, if you want a host to begin processing packets from H1 by SKIP
rather than NAT you would enter something like:
allow ip from a.b.c.H1 to any
or, for a network
allow ip from a.b.c.0/24 to any
This arrangement has been tested with FreeBSD 2.2.7, the included natd-1.11
and the skip-1.0 port all installed without modification and configured as
recommended.
Proportional version
-----------------------------
[H1]--+--[--+--N1--+--]---[R1]---[Internet]---[R2]--+--[H2]
| +--S1--+
+--[S2] (single homed)
|
|
network 1 network
2
Monospaced version
-----------------------------
[H1]-+-[-+-N1-+-]--[R1]--[Internet]--[R2]-+-[H2]
| +-S1-+ +-[S2] (single homed)
| |
network 1 network 2
Jim Flowers <[EMAIL PROTECTED]>
